Hi Mate, I take your e-mail as a -1 vote, so this RC VOTE is CANCELLED. I'll prepare another rc.
Regards, Andor On Mon, 2023-07-17 at 22:50 +0200, Szalay-Bekő Máté wrote: > Hello Andor! > > Thanks for this great release! > > I found two issues with RC0: > > 1) OWASP CVE check (mvn dependency-check:check) failed with > "netty-tcnative-boringssl-static-2.0.61.Final-osx-x86_64.jar: > CVE-2011-1797(9.3)" > > This seems to be a false positive to me (looks to be some security > issue > affecting old safari / chromium web browser versions?). I didn't get > deep > into this, but I guess we see this since > https://issues.apache.org/jira/browse/ZOOKEEPER-4622 > > Interestingly, the CI pipeline doesn't catch this CVE ( > https://ci-hadoop.apache.org/view/ZooKeeper/job/zookeeper-multi-branch-owasp/job/master/), > maybe this is some bug in OWASP that is triggered only with certain > maven > versions or during building on certain platforms? I ran OWASP on > Ubuntu > 18.04.2 with maven 3.9.3. > > 2) Also I see that the website ( > https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.0-candidate-0/website/index.html) > is still showing "ZooKeeper 3.8 Documentation" on the top > > > What do you think? We shouldn't pass the RC until we are certain > about the > CVE issue. (unless this is something happening only on my setup... it > is > strange that OWAPS is green on CI) > > > Beside these, I ran all my usual RC test steps, and found no other > issues > with the RC: > - verified checksum and gpg signature of the artifacts > - I built the source code (incl. the C-client, using -Pfull-build) on > Ubuntu 18.04.2 using OpenJDK 8u372, maven 3.9.3 and GCC version 7.4.0 > - all the unit tests passed (both Java and C-client) > - I also built and executed unit tests for zkpython > - I also built the java code (without -Pfull-build) using other JDK > versions: 11.0.19, 17.0.7, 20.0.1 (but didn't run the tests this > time, just > used 'clean install -DskipTests') > - checkstyle and spotbugs passed > - apache-rat passed > - fatjar built > - I executed quick rolling-upgrade tests (using > https://github.com/symat/zk-rolling-upgrade-test): > - rolling upgrade from 3.5.10 to 3.9.0 > - rolling upgrade from 3.6.4 to 3.9.0 > - rolling upgrade from 3.7.1 to 3.9.0 > - rolling upgrade from 3.8.2 to 3.9.0 > - compared generated release notes ( > https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.0-candidate-0/website/releasenotes.html > ) with Jira ( > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12351304 > ) > > > Best regards, > Máté > > On Mon, Jul 17, 2023 at 3:11 PM Andor Molnar <an...@apache.org> > wrote: > > > Hi team, > > > > This is a release candidate for 3.9.0. > > > > It is a major release and it introduces a lot of new features, most > > notably: > > - Admin server API for taking snapshot and stream out the data > > - Communicate the Zxid that triggered a WatchEvent to fire > > - TLS - dynamic loading for client trust/key store > > - Add Netty-TcNative OpenSSL Support > > - Adding SSL support to Zktreeutil > > - Improve syncRequestProcessor performance > > - Updates to all the third party dependencies to get rid of every > > known > > CVE. > > > > The full release notes is available at: > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12351304 > > > > *** Please download, test and vote by July 30th 2023, 23:59 UTC+0. > > *** > > > > Source files: > > > > https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.0-candidate-0/ > > > > Maven staging repo: > > > > https://repository.apache.org/content/groups/staging/org/apache/zookeeper/zookeeper/3.9.0/ > > > > The release candidate tag in git to be voted upon: release-3.8.0-1 > > https://github.com/apache/zookeeper/tree/release-3.9.0-0 > > > > ZooKeeper's KEYS file containing PGP keys we use to sign the > > release: > > https://www.apache.org/dist/zookeeper/KEYS > > > > The staging version of the website is: > > > > https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.0-candidate-0/website/index.html > > > > > > Should we release this candidate? > > > > > > Regards, > > Andor > > > > > >
